Configure Microsoft Entra ID to meet CMMC Level 2

Microsoft Entra ID helps meet identity-related practice requirements in each Cybersecurity Maturity Model Certification (CMMC) level. To be compliant with requirements in CMMC V2.0 level 2, it's the responsibility of companies performing work with, and on behalf of, the US Dept. of Defense (DoD) to complete other configurations or processes.

In CMMC Level 2, there are 13 domains that have one or more practices related to identity:

  • Access Control (AC)
  • Audit & Accountability (AU)
  • Configuration Management (CM)
  • Identification & Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Risk Assessment (RA)
  • Security Assessment (CA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

The remainder of this article provides guidance for all of the domains except Access Control (AC) and Identification and Authentication (IA) which are covered in other articles. For each domain, there's a table with links to content that provides step-by-step guidance to accomplish the practice.

Audit & Accountability

The following table provides a list of practice statement and objectives, and Microsoft Entra guidance and recommendations to enable you to meet these requirements with Microsoft Entra ID.

CMMC practice statement and objectives Microsoft Entra guidance and recommendations
AU.L2-3.3.1

Practice statement: Create and retain system audit logs and records to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Objectives:
Determine if:
[a.] audit logs (for example, event types to be logged) to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified;
[b.] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined;
[c.] audit records are created (generated);
[d.] audit records, once created, contain the defined content;
[e.] retention requirements for audit records are defined; and
[f.] audit records are retained as defined.

AU.L2-3.3.2

Practice statement: Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

Objectives:
Determine if:
[a.] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined; and
[b.] audit records, once created, contain the defined content.
All operations are audited within the Microsoft Entra audit logs. Each audit log entry contains a user’s immutable objectID that can be used to uniquely trace an individual system user to each action. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification.
Audit activity reports in the Azure portal
Connect Microsoft Entra data to Microsoft Sentinel
Tutorial: Stream logs to an Azure event hub
AU.L2-3.3.4

Practice statement: Alert if an audit logging process fails.

Objectives:
Determine if:
[a.] personnel or roles to be alerted if an audit logging process failure is identified;
[b.] types of audit logging process failures for which alert will be generated are defined; and
[c] identified personnel or roles are alerted in the event of an audit logging process failure.
Azure Service Health notifies you about Azure service incidents so you can take action to mitigate downtime. Configure customizable cloud alerts for Microsoft Entra ID.
What is Azure Service Health?
Three ways to get notified about Azure service issues
Azure Service Health
AU.L2-3.3.6

Practice statement: Provide audit record reduction and report generation to support on-demand analysis and reporting.

Objectives:
Determine if:
[a.] an audit record reduction capability that supports on-demand analysis is provided; and
[b.] a report generation capability that supports on-demand reporting is provided.
Ensure Microsoft Entra events are included in event logging strategy. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Microsoft Entra entitlement management with access reviews to ensure compliance status of accounts.
Audit activity reports in the Azure portal
Connect Microsoft Entra data to Microsoft Sentinel
Tutorial: Stream logs to an Azure event hub
AU.L2-3.3.8

Practice statement: Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

Objectives:
Determine if:
[a.] audit information is protected from unauthorized access;
[b.] audit information is protected from unauthorized modification;
[c.] audit information is protected from unauthorized deletion;
[d.] audit logging tools are protected from unauthorized access;
[e.] audit logging tools are protected from unauthorized modification; and
[f.] audit logging tools are protected from unauthorized deletion.

AU.L2-3.3.9

Practice statement: Limit management of audit logging functionality to a subset of privileged users.

Objectives:
Determine if:
[a.] a subset of privileged users granted access to manage audit logging functionality is defined; and
[b.] management of audit logging functionality is limited to the defined subset of privileged users.
Microsoft Entra logs are retained by default for 30 days. These logs are unable to modified or deleted and are only accessible to limited set of privileged roles.
Sign-in logs in Microsoft Entra ID
Audit logs in Microsoft Entra ID

Configuration Management (CM)

The following table provides a list of practice statement and objectives, and Microsoft Entra guidance and recommendations to enable you to meet these requirements with Microsoft Entra ID.

CMMC practice statement and objectives Microsoft Entra guidance and recommendations
CM.L2-3.4.2

Practice statement: Establish and enforce security configuration settings for information technology products employed in organizational systems.

Objectives:
Determine if:
[a.] security configuration settings for information technology products employed in the system are established and included in the baseline configuration; and
[b.] security configuration settings for information technology products employed in the system are enforced.
Adopt a zero-trust security posture. Use Conditional Access policies to restrict access to compliant devices. Configure policy settings on the device to enforce security configuration settings on the device with MDM solutions such as Microsoft Intune. Microsoft Configuration Manager or group policy objects can also be considered in hybrid deployments and combined with Conditional Access require Microsoft Entra hybrid joined device.

Zero-trust
Securing identity with Zero Trust

Conditional Access
What is Conditional Access in Microsoft Entra ID?
Grant controls in Conditional Access policy

Device policies
What is Microsoft Intune?
What is Defender for Cloud Apps?
What is app management in Microsoft Intune?
Microsoft endpoint management solutions
CM.L2-3.4.5

Practice statement: Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

Objectives:
Determine if:
[a.] physical access restrictions associated with changes to the system are defined;
[b.] physical access restrictions associated with changes to the system are documented;
[c.] physical access restrictions associated with changes to the system are approved;
[d.] physical access restrictions associated with changes to the system are enforced;
[e.] logical access restrictions associated with changes to the system are defined;
[f.] logical access restrictions associated with changes to the system are documented;
[g.] logical access restrictions associated with changes to the system are approved; and
[h.] logical access restrictions associated with changes to the system are enforced.
Microsoft Entra ID is a cloud-based identity and access management service. Customers don't have physical access to the Microsoft Entra datacenters. As such, each physical access restriction is satisfied by Microsoft and inherited by the customers of Microsoft Entra ID. Implement Microsoft Entra role based access controls. Eliminate standing privileged access, provide just in time access with approval workflows with Privileged Identity Management.
Overview of Microsoft Entra role-based access control (RBAC)
What is Privileged Identity Management?
Approve or deny requests for Microsoft Entra roles in PIM
CM.L2-3.4.6

Practice statement: Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

Objectives:
Determine if:
[a.] essential system capabilities are defined based on the principle of least functionality; and
[b.] the system is configured to provide only the defined essential capabilities.
Configure device management solutions (Such as Microsoft Intune) to implement a custom security baseline applied to organizational systems to remove non-essential applications and disable unnecessary services. Leave only the fewest capabilities necessary for the systems to operate effectively. Configure Conditional Access to restrict access to compliant or Microsoft Entra hybrid joined devices.
What is Microsoft Intune
Require device to be marked as compliant
Grant controls in Conditional Access policy - Require Microsoft Entra hybrid joined device
CM.L2-3.4.7

Practice statement: Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

Objectives:
Determine if:
[a.]essential programs are defined;
[b.] the use of nonessential programs is defined;
[c.] the use of nonessential programs is restricted, disabled, or prevented as defined;
[d.] essential functions are defined;
[e.] the use of nonessential functions is defined;
[f.] the use of nonessential functions is restricted, disabled, or prevented as defined;
[g.] essential ports are defined;
[h.] the use of nonessential ports is defined;
[i.] the use of nonessential ports is restricted, disabled, or prevented as defined;
[j.] essential protocols are defined;
[k.] the use of nonessential protocols is defined;
[l.] the use of nonessential protocols is restricted, disabled, or prevented as defined;
[m.] essential services are defined;
[n.] the use of nonessential services is defined; and
[o.] the use of nonessential services is restricted, disabled, or prevented as defined.
Use Application Administrator role to delegate authorized use of essential applications. Use App Roles or group claims to manage least privilege access within application. Configure user consent to require admin approval and don't allow group owner consent. Configure Admin consent request workflows to enable users to request access to applications that require admin consent. Use Microsoft Defender for Cloud Apps to identify unsanctioned/unknown application use. Use this telemetry to then determine essential/non-essential apps.
Microsoft Entra built-in roles - Application Administrator
Microsoft Entra App Roles - App Roles vs. Groups
Configure how users consent to applications
Configure group owner consent to apps accessing group data
Configure the admin consent workflow
What is Defender for Cloud Apps?
Discover and manage Shadow IT tutorial
CM.L2-3.4.8

Practice statement: Apply deny-by-exception (blocklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (allowlist) policy to allow the execution of authorized software.

Objectives:
Determine if:
[a.] a policy specifying whether allowlist or blocklist is to be implemented is specified;
[b.] the software allowed to execute under allowlist or denied use under blocklist is specified; and
[c.] allowlist to allow the execution of authorized software or blocklist to prevent the use of unauthorized software is implemented as specified.

CM.L2-3.4.9

Practice statement: Control and monitor user-installed software.

Objectives:
Determine if:
[a.] a policy for controlling the installation of software by users is established;
[b.] installation of software by users is controlled based on the established policy; and
[c.] installation of software by users is monitored.
Configure MDM/configuration management policy to prevent the use of unauthorized software. Configure Conditional Access grant controls to require compliant or hybrid joined device to incorporate device compliance with MDM/configuration management policy into the Conditional Access authorization decision.
What is Microsoft Intune
Conditional Access - Require compliant or hybrid joined devices

Incident Response (IR)

The following table provides a list of practice statement and objectives, and Microsoft Entra guidance and recommendations to enable you to meet these requirements with Microsoft Entra ID.

CMMC practice statement and objectives Microsoft Entra guidance and recommendations
IR.L2-3.6.1

Practice statement: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

Objectives:
Determine if:
[a.] an operational incident-handling capability is established;
[b.] the operational incident-handling capability includes preparation;
[c.] the operational incident-handling capability includes detection;
[d.] the operational incident-handling capability includes analysis;
[e.] the operational incident-handling capability includes containment;
[f.] the operational incident-handling capability includes recovery; and
[g.] the operational incident-handling capability includes user response activities.
Implement incident handling and monitoring capabilities. The audit logs record all configuration changes. Authentication and authorization events are audited within the sign-in logs, and any detected risks are audited in the Microsoft Entra ID Protection logs. You can stream each of these logs directly into a SIEM solution, such as Microsoft Sentinel. Alternatively, use Azure Event Hubs to integrate logs with third-party SIEM solutions.

Audit events
Audit activity reports in the Azure portal
Sign-in activity reports in the Azure portal
How To: Investigate risk

SIEM integrations
Microsoft Sentinel : Connect data from Microsoft Entra IDStream to Azure event hub and other SIEMs

Maintenance (MA)

The following table provides a list of practice statement and objectives, and Microsoft Entra guidance and recommendations to enable you to meet these requirements with Microsoft Entra ID.

CMMC practice statement and objectives Microsoft Entra guidance and recommendations
MA.L2-3.7.5

Practice statement: Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

Objectives:
Determine if:
[a.] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections; and
[b.] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.
Accounts assigned administrative rights are targeted by attackers, including accounts used to establish non-local maintenance sessions. Requiring multifactor authentication (MFA) on those accounts is an easy way to reduce the risk of those accounts being compromised.
Conditional Access - Require MFA for administrators
MP.L2-3.8.7

Practice statement: Control the use of removable media on system components.

Objectives:
Determine if:
[a.] the use of removable media on system components is controlled.
Configure device management policies via MDM (such as Microsoft Intune), Configuration Manager, or group policy objects (GPO) to control the use of removable media on systems. Deploy and manage Removable Storage Access Control using Intune, Configuration Manager, or Group Policy. Configure Conditional Access policies to enforce device compliance.

Conditional Access
Require device to be marked as compliant
Require Microsoft Entra hybrid joined device

Intune
Device compliance policies in Microsoft Intune

Removable storage access control
Deploy and manage Removable Storage Access Control using Intune
Deploy and manage Removable Storage Access Control using group policy

Personnel Security (PS)

The following table provides a list of practice statement and objectives, and Microsoft Entra guidance and recommendations to enable you to meet these requirements with Microsoft Entra ID.

CMMC practice statement and objectives Microsoft Entra guidance and recommendations
PS.L2-3.9.2

Practice statement: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Objectives:
Determine if:
[a.] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established;
[b.] system access and credentials are terminated consistent with personnel actions such as termination or transfer; and
[c] the system is protected during and after personnel transfer actions.
Configure provisioning (including disablement upon termination) of accounts in Microsoft Entra ID from external HR systems, on-premises Active Directory, or directly in the cloud. Terminate all system access by revoking existing sessions.

Account provisioning
What is identity provisioning with Microsoft Entra ID?
Microsoft Entra Connect Sync: Understand and customize synchronization
What is Microsoft Entra Connect cloud sync?

Revoke all associated authenticators
Revoke user access in an emergency in Microsoft Entra ID

System and Communications Protection (SC)

The following table provides a list of practice statement and objectives, and Microsoft Entra guidance and recommendations to enable you to meet these requirements with Microsoft Entra ID.

CMMC practice statement and objectives Microsoft Entra guidance and recommendations
SC.L2-3.13.3

Practice statement: Separate user functionality form system management functionality.

Objectives:
Determine if:
[a.] user functionality is identified;
[b.] system management functionality is identified; and
[c.] user functionality is separated from system management functionality.
Maintain separate user accounts in Microsoft Entra ID for everyday productivity use and administrative or system/privileged management. Privileged accounts should be cloud-only or managed accounts and not synchronized from on-premises to protect the cloud environment from on-premises compromise. System/privileged access should only be permitted from a security hardened privileged access workstation (PAW). Configure Conditional Access device filters to restrict access to administrative applications from PAWs that are enabled using Azure Virtual Desktops.
Why are privileged access devices important
Device Roles and Profiles
Filter for devices as a condition in Conditional Access policy
Azure Virtual Desktop
SC.L2-3.13.4

Practice statement: Prevent unauthorized and unintended information transfer via shared system resources.

Objectives:
Determine if:
[a.] unauthorized and unintended information transfer via shared system resources is prevented.
Configure device management policies via MDM (such as Microsoft Intune), Configuration Manager, or group policy objects (GPO) to ensure devices are compliant with system hardening procedures. Include compliance with company policy regarding software patches to prevent attackers from exploiting flaws.

Configure Conditional Access policies to enforce device compliance.

Conditional Access
Require device to be marked as compliant
Require Microsoft Entra hybrid joined device

InTune
Device compliance policies in Microsoft Intune
SC.L2-3.13.13

Practice statement: Control and monitor the use of mobile code.

Objectives:
Determine if:
[a.] use of mobile code is controlled; and
[b.] use of mobile code is monitored.
Configure device management policies via MDM (such as Microsoft Intune), Configuration Manager, or group policy objects (GPO) to disable the use of mobile code. Where use of mobile code is required monitor the use with endpoint security such as Microsoft Defender for Endpoint.

Configure Conditional Access policies to enforce device compliance.

Conditional Access
Require device to be marked as compliant
Require Microsoft Entra hybrid joined device

InTune
Device compliance policies in Microsoft Intune

Defender for Endpoint
Microsoft Defender for Endpoint

System and Information Integrity (SI)

The following table provides a list of practice statement and objectives, and Microsoft Entra guidance and recommendations to enable you to meet these requirements with Microsoft Entra ID.

CMMC practice statement and objectives Microsoft Entra guidance and recommendations
SI.L2-3.14.7

Practice statement:

Objectives: Identify unauthorized use of organizational systems.
Determine if:
[a.] authorized use of the system is defined; and
[b.] unauthorized use of the system is identified.
Consolidate telemetry: Microsoft Entra logs to stream to SIEM, such as Azure Sentinel Configure device management policies via MDM (such as Microsoft Intune), Configuration Manager, or group policy objects (GPO) to require Intrusion Detection/Protection (IDS/IPS) such as Microsoft Defender for Endpoint is installed and in use. Use telemetry provided by the IDS/IPS to identify unusual activities or conditions related to inbound and outbound communications traffic or unauthorized use.

Configure Conditional Access policies to enforce device compliance.

Conditional Access
Require device to be marked as compliant
Require Microsoft Entra hybrid joined device

InTune
Device compliance policies in Microsoft Intune

Defender for Endpoint
Microsoft Defender for Endpoint

Next steps